View previous topic :: View next topic |
Author |
Message |
pablo_supertux Advocate
Joined: 25 Jan 2004 Posts: 2946 Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
Posted: Wed Jul 10, 2024 8:40 pm Post subject: Is Gentoo's SSH vulnerable to regreSSHion? |
|
|
Hi
Qualys published a regression to openSSH a couple of days ago. I always update my Gentoo systems on Sunday evenings, so I'm fairly up to date.
I stumbled upon the script https://github.com/xaitax/CVE-2024-6387_Check that checks whether an openSSH installtion is still vulnerable or not.
When I test it with my own host, I get this:
Code: |
$ python /tmp/CVE-2024-6387_Check.py localhost
...
Servers likely vulnerable: 2
[+] Server at ::1 (running SSH-2.0-OpenSSH_9.7)
[+] Server at 127.0.0.1 (running SSH-2.0-OpenSSH_9.7)
...
|
I've made an eix-sync right now but my openssh is up-to-date (=net-misc/openssh-9.7_p1-r6). So the question is: is Gentoo still vulnerable or is this just a false positive because the script only checks the signature against the most common distributions (like debian, ubuntu, rhel, etc)? _________________ A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20484
|
|
Back to top |
|
|
pablo_supertux Advocate
Joined: 25 Jan 2004 Posts: 2946 Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
Posted: Wed Jul 10, 2024 9:43 pm Post subject: |
|
|
Cool, thanks. Yes, then that's a false positive of the tool. _________________ A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3416 Location: Canada
|
Posted: Wed Jul 10, 2024 9:44 pm Post subject: |
|
|
That check is trivial, it just checks whether your version of openssh is affected ( the first formally unaffected is 9.8p1) and if it is whether it was patched, which for the check means in the list of
patched_versions = [
'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3',
'SSH-2.0-OpenSSH_9.7p1 Debian-7',
'SSH-2.0-OpenSSH_9.6 FreeBSD-20240701',
'SSH-2.0-OpenSSH_9.7 FreeBSD-20240701'
]
that distributions, which obviously knows noting about Gentoo. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|